Nuwellis, Inc. 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

Nuwellis, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 17:08:24 EDT.

Filings

10-K filed on 2024-03-11

Nuwellis, Inc. filed an 10-K at 2024-03-11 17:08:24 EDT
Accession Number: 0001140361-24-012644

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. We value the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. We have a cross-departmental approach to addressing cybersecurity risk, including input from employees [from our information technology department], our senior vice president of operations and engineering, and our board of directors. The board of directors, Audit Committee, and senior and management devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. Our cybersecurity risk management protocols are comprised of software programs including antivirus protection, end-point threat detection, remote access, multifactor authentication. In addition, we have a set of Company-wide policies and procedures concerning cybersecurity matters, which include an employee handbook as well as other policies that directly or indirectly relate to cybersecurity, such as policies related to incident response, confidential information and the use of internet, social media, email and wireless. These policies go through an internal review process and are approved by our senior vice president of operations and engineering. 34 Table of Contents Our Senior Vice President of Operations and Engineering is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the board of directors. Nuwellis leverages 3 rd party IT service provider and specifically their cybersecurity team s expertise. All employees are required to complete cybersecurity training as part of on-boarding process and on-going training both online and in-person. IT department assigns position specific security level encryption to manage information security We have continued to expand investments in IT security, including software programs and policies mentioned above. We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party experts. At the management level, our IT security team regularly monitors alerts and meets to discuss threat levels, trends and remediation.] In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party service providers. The Audit Committee and the full board of directors periodically participate in discussions with management and amongst themselves regarding cybersecurity risks. As of 2023 the Audit Committee performs an annual review of the Company s cybersecurity program, which includes discussion of management s actions to identify and detect threats, as well as planned actions in the event of a response or recovery situation. The Audit Committee s annual review also includes review of recent enhancements to the Company s defenses and management s progress on its cybersecurity strategic roadmap. Our board of directors has ultimate oversight of cybersecurity risk, which it manages as part of our risk management processes. That program is utilized in making decisions with respect to company priorities, resource allocations, and oversight structures. Although the board members are former executives of publicly traded companies, none of them have specific cybersecurity experience. We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks. Such occurrences could negatively impact our business strategy, reputation and results of operation. For more information about the cybersecurity risks we face, see our risk factors in Item 1A- Risk Factors in this Annual Report on Form 10-K.

Company Information